Entra External Auth for ADO

alexwilcox9 · alexwilcox9 · commit e12e6e3b83a9 · 2024-02-29T14:40:40.000Z
diff --git a/coderd/externalauth/externalauth.go b/coderd/externalauth/externalauth.go
@@ -499,6 +499,9 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut
 		if entry.Type == string(codersdk.EnhancedExternalAuthProviderAzureDevops) {
 			oauthConfig = &jwtConfig{oc}
 		}
+		if entry.Type == string(codersdk.EnhancedExternalAuthProviderAzureDevopsEntra) {
+			oauthConfig = &jwtConfigEntraV1{oc}
+		}
 		if entry.Type == string(codersdk.EnhancedExternalAuthProviderJFrog) {
 			oauthConfig = &exchangeWithClientSecret{oc}
 		}
@@ -739,6 +742,11 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		Regex:       `^(https?://)?dev\.azure\.com(/.*)?$`,
 		Scopes:      []string{"vso.code_write"},
 	},
+	codersdk.EnhancedExternalAuthProviderAzureDevopsEntra: {
+		DisplayName: "Azure DevOps (Entra)",
+		DisplayIcon: "/icon/azure-devops.svg",
+		Regex:       `^(https?://)?dev\.azure\.com(/.*)?$`,
+	},
 	codersdk.EnhancedExternalAuthProviderBitBucketCloud: {
 		AuthURL:     "https://bitbucket.org/site/oauth2/authorize",
 		TokenURL:    "https://bitbucket.org/site/oauth2/access_token",
@@ -811,6 +819,24 @@ func (c *jwtConfig) Exchange(ctx context.Context, code string, opts ...oauth2.Au
 	)
 }
 
+// When authenticating via Entra ID ADO only supports v1 tokens that requires the 'resource' rather than scopes
+// When ADO gets support for V2 Entra ID tokens this struct and functions can be removed
+type jwtConfigEntraV1 struct {
+	*oauth2.Config
+}
+
+func (c *jwtConfigEntraV1) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {
+	return c.Config.AuthCodeURL(state, append(opts, oauth2.SetAuthURLParam("resource", "499b84ac-1321-427f-aa17-267ca6975798"))...)
+}
+
+func (c *jwtConfigEntraV1) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	return c.Config.Exchange(ctx, code,
+		append(opts,
+			oauth2.SetAuthURLParam("resource", "499b84ac-1321-427f-aa17-267ca6975798"),
+		)...,
+	)
+}
+
 // exchangeWithClientSecret wraps an OAuth config and adds the client secret
 // to the Exchange request as a Bearer header. This is used by JFrog Artifactory.
 type exchangeWithClientSecret struct {
diff --git a/codersdk/externalauth.go b/codersdk/externalauth.go
@@ -25,6 +25,7 @@ func (e EnhancedExternalAuthProvider) Git() bool {
 		EnhancedExternalAuthProviderBitBucketCloud,
 		EnhancedExternalAuthProviderBitBucketServer,
 		EnhancedExternalAuthProviderAzureDevops,
+		EnhancedExternalAuthProviderAzureDevopsEntra,
 		EnhancedExternalAuthProviderGitea:
 		return true
 	default:
@@ -33,9 +34,10 @@ func (e EnhancedExternalAuthProvider) Git() bool {
 }
 
 const (
-	EnhancedExternalAuthProviderAzureDevops EnhancedExternalAuthProvider = "azure-devops"
-	EnhancedExternalAuthProviderGitHub      EnhancedExternalAuthProvider = "github"
-	EnhancedExternalAuthProviderGitLab      EnhancedExternalAuthProvider = "gitlab"
+	EnhancedExternalAuthProviderAzureDevops      EnhancedExternalAuthProvider = "azure-devops"
+	EnhancedExternalAuthProviderAzureDevopsEntra EnhancedExternalAuthProvider = "azure-devops-entra"
+	EnhancedExternalAuthProviderGitHub           EnhancedExternalAuthProvider = "github"
+	EnhancedExternalAuthProviderGitLab           EnhancedExternalAuthProvider = "gitlab"
 	// EnhancedExternalAuthProviderBitBucketCloud is the Bitbucket Cloud provider.
 	// Not to be confused with the self-hosted 'EnhancedExternalAuthProviderBitBucketServer'
 	EnhancedExternalAuthProviderBitBucketCloud  EnhancedExternalAuthProvider = "bitbucket-cloud"
diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth.md
@@ -23,6 +23,7 @@ application. The following providers are supported:
 - [GitLab](https://docs.gitlab.com/ee/integration/oauth_provider.html)
 - [BitBucket](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/)
 - [Azure DevOps](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops)
+- [Azure DevOps (via Entra ID)](https://learn.microsoft.com/en-us/entra/architecture/auth-oauth2)
 
 Example callback URL:
 `https://coder.example.com/external-auth/primary-github/callback`. Use an
@@ -108,6 +109,21 @@ CODER_EXTERNAL_AUTH_0_AUTH_URL="https://app.vssps.visualstudio.com/oauth2/author
 CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://app.vssps.visualstudio.com/oauth2/token"
 ```
 
+### Azure DevOps (via Entra ID)
+
+Azure DevOps (via Entra ID) requires the following environment variables:
+
+```env
+CODER_EXTERNAL_AUTH_0_ID="primary-azure-devops"
+CODER_EXTERNAL_AUTH_0_TYPE=azure-devops-entra
+CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
+CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
+CODER_EXTERNAL_AUTH_0_AUTH_URL="https://login.microsoftonline.com/<TENANT ID>/oauth2/authorize"
+CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://login.microsoftonline.com/<TENANT ID>/oauth2/token"
+```
+
+> Note: Your app registration in Entra ID requires the `vso.code_write` scope
+
 ### GitLab self-managed
 
 GitLab self-managed requires the following environment variables:
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
